Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CTE for Cloud Object Storage

Configure the AWS CLI to use the COS Root CA Certificate

search

Please Note:

Configure the AWS CLI to use the COS Root CA Certificate

You must configure the AWS CLI to use the COS root CA certificate. To do so, edit ~/.aws/config and add the following line to the AWS cli configuration file:

ca_bundle = /opt/vormetric/DataSecurityExpert/agent/squid/etc/cosCA.crt

For example:

 cat ~/.aws/config
[default]
output = json
Region = us-west-1
ca_bundle = /opt/vormetric/DataSecurityExpert/agent/squid/etc/cosCA.crt

Configure the AWS CLI Network Proxy

All communications between client applications and the AWS server must be done through the COS proxy and the environment variable HTTPS_PROXY or https_proxy should be set. If both variables are defined, then the AWS CLI will use https_proxy.

For example:

export HTTPS_PROXY=localhost:3128

Configure CTE COS S3

In order for CTE COS S3 to do transparent encryption and decryption, all requests sent to the AWS S3 server must be generated and signed using valid AWS credentials. In order to retrieve these credentials for CTE COS S3, you can use any of the following methods:

  • The User Supplies the Credentials for the User's AWS Account

The application can send the long-term credentials from the user's AWS account to CTE COS S3. These credentials do not expire.

For the AWS CLI, the credentials are in the credential file ~/.aws/credential. The user credentials consists of an Access Key ID and a Secret Access Key. For details about accessing the user's credentials, see your AWS documentation.

To add the AWS credentials to CTE COS S3, use the voradmin cos s3 cred add command:

voradmin cos s3 cred add [<aws_key_id> <aws_secret_key>]

where:

  • <aws_key_id> is the AWS secret key ID from the .aws/credentials file.

  • <aws_secret_key> is the AWS secret key from the same file.

For example:

voradmin cos s3 cred add AKIA****P KQSm****D

The User Supplies Temporary Security Credentials

You can use temporary security credentials, which expire after a short period of time. Usually temporary security credential are obtained through IAM roles and other features of the AWS Security Token Service.

Use the voradmin cos s3 cred add command, described above, to add the temporary credential to CTE COS S3.

CTE COS S3 Captures Temporary Credentials

CTE COS S3 can capture a temporary, newly generated, security credential and automatically add it to CTE COS S3 if the application generates the temporary security credential using the AWS Security Token Service with one of the following 3 actions and HTTPS_PROXY is set to localhost:3128.

  • AssumeRole

  • AssumeRoleWithSAML

  • AssumeRoleWithWebIdentity

No other action is required from the application or user.

CTE COS S3 Retrieves Credentials from EC2 Instance Metadata Service

When CTE COS S3 is installed on AWS EC2 instance with an attached role, CTE COS S3 automatically retrieves the credential from Instance Metadata Service and uses it. However, if CTE COS S3 already has a valid credential given by the user or admin using the voradmin command, then than that credential will be used instead. For information about setting up an IAM Role, see your AWS EC2 documentation.

No action is required from application or user.

Setting the Default Chunk Size

Note

If a chunk size is configured in the AWS CLI configuration, you must configure the same chunk size for CTE COS S3.

The default chunk size for multi-part uploads is 8 MB. To change the chunk size, use the following command:

voradmin cos s3 chunk [<aws_key_id> <aws_secret_key>] [<chunk_size>]

where:

  • <aws_key_id> is the AWS secret key ID from the .aws/credentials file.

  • <aws_secret_key> is the AWS secret key from the same file.

  • <chunk_size> is the number of MB per chunk that you want to use for multi-part uploads. Enter an integer between 5 and 5120.

The voradmin command prompts for any of the optional parameters that you do not specify on the command.

For example, to set a chunk size of 250MB, you would enter:

voradmin cos s3 chunk AKIA****P KQSm****D 250

Optionally Support other 3rd Party S3 Compatible Storage

CTE COS S3 has a configuration file that lists all supported S3 compatible cloud storages. It is located at:

`<installation directory>/agent/squid/etc/cos.conf`

To support a new 3rd party S3 compatible storage:

  1. Add a new section to the configuration file with its name and endpoint base url. The following is an example with Wasabi Cloud Storage.

    [wasabi]
endpoint = wasabisys.com

  2. Restart CTE COS service using the following command:

    voradmin cos service stop
voradmin cos service start

  3. Configure credentials and other needed items following the guideline for the 3rd party S3 compatible storage.

Configure a CTE COS S3 Role for Guarded Buckets

AWS provides the IAM Role feature that contains certain specific permissions. A user can assume the IAM Role and therefore take on those permissions. CTE COS S3 provides a special feature using this IAM Role to prevent access to one or more buckets outside the CTE COS S3 protection as shown in the following diagram:

Note

This step is optional.

Only hosts that are configured with the CTE COS S3 Role can access the protected buckets. All other access attempts from any hosts where the CTE COS S3 Role is not configured, including attempts made through the AWS S3 Console, are blocked for the protected buckets.

This is a one-time configuration process. After the CTE COS S3 Role is configured on a host by the system or security administrator, all authorized users in the host can access the protected buckets.

Prerequisites

To set up a CTE COS S3 Role, you need a delegated IAM user, role, and policy. The delegated IAM user should be created by the AWS Administrator without any specific privileges. The role and policy must be created by a user who has at least the following privileges:

  • iam:ListPolicies

  • iam:CreatePolicy

  • iam:GetPolicyVersion

  • iam:ListRoles

  • iam:ListRolePolicies

  • iam:ListAttachedRolePolicies

  • iam:AttachRolePolicy

  • iam:UpdateAssumeRolePolicy

  • iam:CreateRole

  • iam:GetRole

Procedure

  1. In the IAM Management Console, create a policy that allows access to specific S3 resources. You can leave the policy open to include all S3 resources in the account or include only those buckets that require CTE protection. Make sure you name the policy something that you will remember.

    Tip

    You can also create the policy as an inline policy after you create the CTE COS S3 Role later in this procedure.

    For example, you can create a policy called VTE_S3_Role_Policy that allows access to the single S3 bucket vte-cos-s3-rtb. To verify that the policy restricts access to that bucket, you can look at the Resource allocation in the Policy summary.

    The full JSON for the the VTE_S3_Role_Policy is:

    {
   "Version": "2012-10-17",
   "Statement": [
     { 
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [
           "arn:aws:s3:::vte-cos-s3-rtb",
           "arn:aws:s3:::vte-cos-s3-rtb/*"
           ]
      }
   ]
}

  2. Create a new role that you can use for the CTE COS S3 Role. For example, you could call the role VTE_S3_Role.

  3. Assign the CTE COS S3 policy you created to the role, or click Add inline policy to create a new policy. For example:

  4. Create a delegated IAM user for the CTE COS S3 Role. The user does not require any privileges because its only job is to assume the CTE COS S3 Role. The delegated IAM user can either be in the same account as the role or it can be in a different trusted account. For example, you could create a user called VTE_S3_User with no privileges.

  5. Set "Trusted Entities" to the delegated IAM user on the Trust relationships tab. For example:

  6. Configure the CTE COS S3 Role with the credentials of the delegated IAM user you created earlier by entering the following command in the command line on the host system:

    voradmin cos s3 role config [<aws_key_id> <aws_secret_key> <user_arn> <role_arn>]

    where:

    • <aws_key_id> is the AWS secret key ID for the delegated IAM user that you created.

    • <aws_secret_key> is the AWS secret key or the delegated IAM user that you created.

    • <user_arn> is the Amazon Resource Name for the delegated IAM user that you created.

    • <role_arn> is the Amazon Resource Name for the delegated IAM Role that you created.

If you omit any of the optional parameters, the voradmin command prompts you for that information.

For example, if the AWS account number for the delegated IAM user is 1XXXXXXXXXXX, the user name is VTE_S3_User, and the CTE COS S3 Role is VTE_S3_Role, you would enter:

voradmin cos s3 role config AKIA****P KQSm****D arn:aws:iam::1XXXXXXXXXXX:user/VTE_S3_User arn:aws:iam::1XXXXXXXXXXX:role/VTE_S3_Role

After you configure the user and assign the CTE COS S3 Role, CTE will access the S3 bucket through the delegated IAM user account using temporary credentials that CTE regenerates periodically. These credentials are maintained entirely by CTE and are never exposed to end users.

Secure an S3 Bucket with the CTE COS S3 Role

When you enable the CTE COS S3 Role for a bucket, the associated bucket policy prevents unauthorized users from accessing the contents of the bucket. To enable the CTE COS S3 Role for a bucket, use the following command:

voradmin cos s3 role secure-bucket <key_id> <secret key> <cos name> <region> <bucket_name>

where:

  • <aws_key_id> is the AWS secret key ID for the delegated IAM user that you created.

  • <aws_secret_key> is the AWS secret key for the delegated IAM user that you created.

  • <cos name> is the cloud service name from CTS COS configuration file, <installation directory>/agent/squid/etc/cos.conf.

  • <region> is the region where the S3 bucket is located in the targeted cloud storage service.

  • <bucket_name> is the name of the S3 bucket on which you want to enable the CTE COS S3 Role.

For example, if the bucket name is vte-cos-s3-rtb, you would enter:

voradmin cos s3 role secure-bucket AKIA****P KQSm****D aws us-west-1  vte-cos-s3-rtb

Disable the CTE COS S3 Role for an S3 Bucket

To remove the CTE COS S3 Role restrictions associated with a bucket, use the following command:

voradmin cos s3 role release-bucket <key_id> <secret key> <cos name> <region> <bucket_name>

where:

  • is the AWS secret key ID for the delegated IAM user that you created.

  • is the AWS secret key for the delegated IAM user that you created.

  • is the cloud service name from CTS COS configuration file, /agent/squid/etc/cos.conf.

  • is the region where the S3 bucket is located in the targeted cloud storage service.

  • is the name of the S3 bucket on which you want to disable the CTE COS S3 Role.

For example, if the bucket name is vte-cos-s3-rtb, type:

voradmin cos s3 role release-bucket AKIA****P KQSm****D aws us-west-1  vte-cos-s3-rtb

On this page